If you want to get smart about open standards, you have to watch how these things play out in another open thing -- the market. Because it's the market that just as often shapes a standard as it is a standard that shapes the market.

And to understand it, you have to understand the often-submerged motives of tech people who work at big companies.

For example, why are there so many iconic representations for a feed? Is it because we didn't anticipate in advance that there would be a need for one? Hardly. It's because the big companies, when they came in, ignored prior art and created their own way to do it. Once there were two, why not have twenty-two? Of course that's exactly what happened.

Last year (the one that just ended) it seemed that OAuth had finally gotten to a point where it was frozen. It was deploying in Twitter, and they were making sounds as if they would at sometime not too far down the road turn off the username-password way of authenticating users. So I rolled up my sleeves and implemented OAuth in the OPML Editor so my apps could use it. Turns out I was mistaken in believing that it was frozen, because, due to a security issue, they had to change OAuth, and I haven't revisited my code yet to adopt the change, so it doesn't work with the Twitter implementation of OAuth, which honestly, is the only one I care about.

But wait -- it's even worse than it appears (one of my favorite mottos, a persistent disclaimer for all things technical, an adjunct to Murphy's Law). Turns out the creators of OAuth have changed their mind and think it should be stripped to the metal and rebuilt around HTTPS. So not only do I have to throw out all the work I've done, but so does Twitter, and even better worse, my environment doesn't have glue for HTTPS so I'll have to get that together. When will all this happen? Heh. That's the rub. My guess is that, based on past experience with the tech biz, it'll never happen. The people pushing this stuff are young, they haven't been around the loop before. Doesn't matter. Big companies are like Ouija boards. The people don't control them, the psychology does. In the BigCo mindset it's always Day Zero, and the value of all the implementations so far is $0.

The entrepreneurs and the developing platforms are left with nothing to do. The old way of doing things is "deprecated" and the new way is a moving target, never finished, always subject to second-guessing. No one wins this game, but eventually a new thing comes along, and the problems of the last generation seem old.

If OAuth is to have a chance at being a foundation to build on, it would need founders who say to those who want to completely redefine it that they should do it in a new playground, and let OAuth develop without interference. That, unfortunately for OAuth, and the people who have already invested, is not happening.

PS: The argument that OAuth is too hard to implement is moot. Imho, everyone who had to implement it had already implemented it. If I could get it working in a month in the OPML Editor, even though it was a grueling month, it may be hard, but it's not too hard. Moot. An excuse to rip up the pavement and delay deployment, it seems to me.

Update: After writing this post I decided to look into what it would take to unbreak the OPML Editor's support for Twitter's OAuth implementation, and was able to fix it in about 45 minutes. I released the parts and documented it on the Frontier news website.